Mount NFS on LXC Proxmox

8 August, 2018

I’m a long time user of Proxmox (a few years), and recently I had the chance to upgrade an by-now ancient Proxmox 3.4 to current 5.2. In that time frame the developers have changed from OpenVZ to LXC and made a script to migrate the data. One key element however, mounting (remote) NFS shares are no longer possible from within the containers, at least not native.

Within the container the error is rather lacking information and is pointing towards the NFS server issue.

Aug  8 09:09:51 svennd mount: mount.nfs: access denied by server while mounting nfs_server:/data

However, on the Proxmox host, in /var/log/messages you can find that apparmor is the problem.

apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/storage/nfs_server/data/" pid=25086 comm="mount.nfs" fstype="nfs" srcname="nfs_server:/data" flags="ro, noatime"

It seems this is a feature .

Well now, lets try and undo this security feature, in my case the profile that is causing it to block is lxc-container-default-cgns. You can find this file : /etc/apparmor.d/lxc/lxc-default-cgns Also some other configs can be found there (not sure when what profile is loaded) I added :

mount fstype=rpc_pipefs,
mount fstype=nfs,

below mount fstype=cgroup -> /sys/fs/cgroup/**, resulting in this final file :

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=rpc_pipefs,
  mount fstype=nfs,
}

After that we need to reload Apparmor, I’m not sure what made it work again, but it was one of these :

apparmor_parser -r /etc/apparmor.d/lxc-containers
systemctl apparmor reload

And now we can mount from within once more ! 🙂

There is an alternative, but from what I read here you need to remap user ID’s, and need to use mountpoints on the host and draw them inside the container.

A small list for important Proxmox files & directories.

For LXC (Linux containers) :

config: /var/lib/lxc/$ct_id/config

For KVM (Kernel-based Virtual Machine, mostly Windows machines)

config: /etc/pve/qemu-server/$kvm_id.conf

Cluster files (if you use Proxmox cluster)

per node configuration : /etc/pve/nodes/$node_name/*

Location of the ISO files that can then be loaded from the web interface :

/var/lib/vz/template/iso/

In order to increase the size of files you can upload in WordPress, we need to adapt the software powering the software.

Let’s begin with PHP, I use Nginx + php-fpm to run PHP, so I need to edit

/etc/php.ini

on line 799, upload_max_filesize determines the maximum allowed size a PHP file will accept for upload.

upload_max_filesize = 2M

This should not be to big, but a few megabytes will work just fine. I increased this to 10M (~10MB)

After that its time to update Nginx to allow larger upload body’s, this I already had an error documented in the past. So in short :

/etc/nginx/nginx.conf

add after the

http {

# increase upload size to 10MB
client_max_body_size 10M;

Once that is done, just restart Nginx and php-fpm.

systemctl restart nginx
systemctl restart php-fpm

And voila

Some powerful and or useful find commands; As with anything on the web, test before running ! (I forget the syntax so this is mainly self-documenting)

 

 

Find all *.tsv larger 1Mb, compress them with the super fast lz4 on high compression and remove the source file after this.

find . -name "*.tsv" -size +1M -exec lz4 -9 --rm '{}' \;

In the same line; compress all files ending with *.fastq and gzip them, also they cannot end with *.gz (in this case redundant but its an extra safety)

find . -type f -name "*.fastq" ! -name '*.gz' -exec gzip "{}" \;

 

Recursive remove all directory’s matching the name *.tsv.index in a rm or echo single command. This makes it possible to easily swap out rm for echo as a test.

find . -type d -name "*.tsv.index" -exec echo {} +
find . -type d -name "*.tsv.index" -exec rm -rf {} +

A combination of a few commands, calculate the storage use from all files size larger then 1M, with no hardlinks, ending with *.tsv.

find . -name "*.tsv" -size +1M -links 1 -print0 | du -hc | tail -n 1

(edit: might not work as intended)

find . -name "log_jobs" -exec du -hc {} +

 

Find files, that are newer then 5 minutes :

find . -type f -mmin -5

and older :

find . -type f -mmin +5

Hard links are nice, but also a (enter curse-word) to track, luckily we have find to locate it :

find /data -samefile file.txt -xdev

This would find all the files that are exactly the same as file.txt (so only hard links, no soft links or copy’s) considering hard links can only be in one file system its logical to add -xdev which tells find not to enter other file-systems since hard links can not be across file-systems. If you are also looking for soft links remove -xdev and add -L

Generate a md5sum for every file in this current directory except files “mylog.log” and “md5.lst”.

find . -type f ! -name "mylog.log" ! -name "md5.lst" -exec md5sum "{}" + > md5.lst

 

A quick and dirty way to find directories (=experiments) that have been made in the last 90 days, sorted on date (removing hard linked .save dirs) This is a sort.

find . -maxdepth 1 -name "*_machine_ID_*" -type d -ctime -90 | grep -v .save | sort -t_ -k 2

 

Ignore certain files, can be done using ! -name “*file” for example. This finds all directories starting with 17, and not ending with .save (hard link for us) and shows the size of those directories.

find . -maxdepth 1 -name "17*" ! -name "*.save" -type d -exec du -hs '{}' +

 

Count certain file type in a single directory (not recursively)

find . -maxdepth 1 -name "*.fastq" | wc -l

 

I could not remove this folder in Windows. It gave an error that is was not there anymore … uh-oh … corruption ? I checked the disk using the windows utility but the disk seemed fine (raid was a-OK).

To my surprise the only solution was to go to the windows console / command prompt and remove the directory directly from there. So Windows is becoming more like Linux, I like it !

The command to be used is rd :

rd /S \\?\D:\arch_micro_data\svennd\data\2015

rd stands for remove directory, the /S is the flag for recursively remove the tree.

After running this command, and accepting the removal, bloop, directory was gone.

What the \\? means I have not found, but the solution came from spiceworks.

sleep and sysadmin

This is the tale of caution, when sleep deprived, sysadmin with caution! Let’s be honest who never said : lets finish this game, let’s have another drink, I will sleep when dead, … (enter sleepless night excuse here) ? Last night for me I was on a coding spree, when a thunderstorm broke, I was like, whoa its already too late, let’s take my camera and try and take some thunder shots. (it failed) It ended up being a very short 5h night.

Fast forward to the next morning. There was a planned power-down at work but UPS’s (Uninterruptible Power Supply) should take the heat if not extended due to circumstances. We had prepared for this situation two weeks prior, when it was cancelled. So I was pretty sure my task would be to sit there and say, good work team!

It was a 7 minute blackout, butter smooth, we planned for 15m ! After the planned boot procedure all was up and running in no time. With exception of one machine, that had updated and was now running Centos 7.5. The machine refused to show the ZFS partitions, while normally this machine is playing nice, it was not today. I immediately thought of kernel module not loading however that failed ! Time to panic ! Well for sure data was not gone, since its just not accessible in this kernel. So the panic was never really there, as my brain was to slow to really get in the panic mood. Just add coffee and time I thought.

My first attempt was to remove zfs and spl modules and redo the dkms installation following the official guide, after removing every trace of ZFS, that royally failed. Ok. Time for kABI. Which until today I assumed was kernel-my-girlfriends-name (Abby) it turns out its not and its actually Kernel Application Binary Interface. As the red-hat customer platform says nicely :

kABI is a set of in-kernel symbols used by drivers and other kernel modules. Each major and minor Red Hat Enterprise Linux release (and Centos/Fedora kernel) has set of in-kernel symbols whitelist, which are defined in “/usr/src/kernels/”kernel-version”/Module.symvers” file. source

Following the guide for kABI, succes was not to be found. Ok, I got no errors that yielded any google results, so it was time for the deep and dirty. Let’s compile from source ! Failed. I had allot of kernels installed, so let’s remove them all except one and rebuild. Fail. Maybe the kernel is too new, let’s install an older kernel and rebuild again. Fail. Good, this 0.7.x version of ZFS is at fault, let’s try this 0.5.X. Fail. Let’s check Centos board to see if there are known issues. Nothing. Let’s check the Github of the ZoL project. Nothing.

Good I genuinely found a new bug in ZFS with working in Centos 7.5. (by this time, my brain should have said, wait a minute, did we read the error ?) Even tho, Centos 7.5 is out for a while already and even before that RHEL 7.5 is always out first to the enterprise users…. So this error makes no sense what so ever.

As my brain was pretty stable, focused and definitely not counting the minutes till weekend. It also had enough sleep and no any kind of substances such as “OD levels” of caffeine and sugar. I made the choice to claim ZFS developers time and open a new ticket with the developers. After all they fubar’d right ?

The only thing I did not do was to really read the error :

zfs: Unknown parameter 'zil_slog_limit'

Yes, if you set tuning value’s for a module and the module updates significantly (0.5 -> 0.7) some parameters get dumped/deprecated. I feel a bit ashamed for stealing developer time for my own stupidity. But I hope this blog post is a bit of payback. Next person who google’s this error will find my shame post and not waste dev. time.

As to the fix; comment or remove zil_slog_limit in /etc/modprobe.d/zfs.conf or similar configuration file.

Thanks behlendorf, I hope you get a good’s night rest !

A weird bug that crashed the samba server :

# service smb status
Redirecting to /bin/systemctl status smb.service
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-05-11 05:27:35 CEST; 4 days ago
 Main PID: 1130 (code=exited, status=1/FAILURE)

May 11 05:27:35 svennd.be systemd[1]: Starting Samba SMB Daemon...
May 11 05:27:35 svennd.be smbd[1130]: /usr/sbin/smbd: /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.6.2' not found (required by /lib64/libwbclient.so.0)
May 11 05:27:35 svennd.be smbd[1130]: /usr/sbin/smbd: /usr/lib64/samba/libwinbind-client-samba4.so: version `SAMBA_4.6.2' not found (required by /lib64/libwbclient.so.0)
May 11 05:27:35 svennd.be systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE
May 11 05:27:35 svennd.be systemd[1]: Failed to start Samba SMB Daemon.
May 11 05:27:35 svennd.be systemd[1]: Unit smb.service entered failed state.
May 11 05:27:35 svennd.be systemd[1]: smb.service failed.

Restarting the service is enough to fix it.  Somehow this has happened due to updates :

from /var/log/yum.log

May 11 05:26:25 Updated: filesystem.x86_64 3.2-25.el7
May 11 05:26:26 Updated: libgcc.x86_64 4.8.5-28.el7
May 11 05:26:26 Updated: perl-Getopt-Long.noarch 2.40-3.el7
May 11 05:26:26 Updated: firewalld-filesystem.noarch 0.4.4.4-14.el7
May 11 05:26:27 Updated: tzdata.noarch 2018e-3.el7
May 11 05:26:31 Updated: glibc-common.x86_64 2.17-222.el7
May 11 05:26:31 Updated: nss-softokn-freebl.x86_64 3.34.0-2.el7
May 11 05:26:32 Updated: glibc.x86_64 2.17-222.el7
May 11 05:26:32 Updated: bash.x86_64 4.2.46-30.el7
May 11 05:26:32 Updated: nspr.x86_64 4.17.0-1.el7
May 11 05:26:32 Updated: nss-util.x86_64 3.34.0-2.el7
May 11 05:26:32 Updated: libsepol.x86_64 2.5-8.1.el7
May 11 05:26:32 Updated: libselinux.x86_64 2.5-12.el7
May 11 05:26:32 Updated: libcom_err.x86_64 1.42.9-11.el7
May 11 05:26:32 Updated: audit-libs.x86_64 2.8.1-3.el7
May 11 05:26:32 Updated: libdb.x86_64 5.3.21-24.el7
May 11 05:26:32 Updated: elfutils-libelf.x86_64 0.170-4.el7
May 11 05:26:32 Updated: info.x86_64 5.1-5.el7
May 11 05:26:32 Updated: libuuid.x86_64 2.23.2-52.el7
May 11 05:26:32 Updated: libtalloc.x86_64 2.1.10-1.el7
May 11 05:26:32 Updated: libstdc++.x86_64 4.8.5-28.el7
May 11 05:26:32 Updated: libattr.x86_64 2.4.46-13.el7
May 11 05:26:33 Updated: libacl.x86_64 2.2.51-14.el7
May 11 05:26:33 Updated: libtevent.x86_64 0.9.33-2.el7
May 11 05:26:33 Updated: cpio.x86_64 2.11-27.el7
May 11 05:26:33 Updated: libtdb.x86_64 1.3.15-1.el7
May 11 05:26:33 Updated: libldb.x86_64 1.2.2-1.el7
May 11 05:26:33 Updated: libquadmath.x86_64 4.8.5-28.el7
May 11 05:26:33 Updated: iptables.x86_64 1.4.21-24.el7
May 11 05:26:33 Updated: iproute.x86_64 4.11.0-14.el7
May 11 05:26:33 Updated: pciutils-libs.x86_64 3.5.1-3.el7
May 11 05:26:33 Updated: kmod-libs.x86_64 20-21.el7
May 11 05:26:33 Updated: tar.x86_64 2:1.26-34.el7
May 11 05:26:33 Updated: libsemanage.x86_64 2.5-11.el7
May 11 05:26:33 Updated: e2fsprogs-libs.x86_64 1.42.9-11.el7
May 11 05:26:33 Updated: nss-softokn.x86_64 3.34.0-2.el7
May 11 05:26:33 Updated: unzip.x86_64 6.0-19.el7
May 11 05:26:33 Updated: libbasicobjects.x86_64 0.1.1-29.el7
May 11 05:26:33 Updated: ethtool.x86_64 2:4.8-7.el7
May 11 05:26:33 Updated: libpmem.x86_64 1.3-3.el7
May 11 05:26:33 Updated: numactl-libs.x86_64 2.0.9-7.el7
May 11 05:26:33 Updated: libref_array.x86_64 0.1.5-29.el7
May 11 05:26:34 Updated: libcollection.x86_64 0.7.0-29.el7
May 11 05:26:34 Installed: lz4.x86_64 1.7.5-2.el7
May 11 05:26:34 Updated: libpmemblk.x86_64 1.3-3.el7
May 11 05:26:34 Updated: libgfortran.x86_64 4.8.5-28.el7
May 11 05:26:34 Updated: acl.x86_64 2.2.51-14.el7
May 11 05:26:34 Updated: vim-minimal.x86_64 2:7.4.160-4.el7
May 11 05:26:34 Updated: patch.x86_64 2.7.1-10.el7_5
May 11 05:26:34 Updated: mozjs17.x86_64 17.0.0-20.el7
May 11 05:26:34 Updated: libstdc++-devel.x86_64 4.8.5-28.el7
May 11 05:26:34 Updated: libuuid-devel.x86_64 2.23.2-52.el7
May 11 05:26:34 Updated: libgomp.x86_64 4.8.5-28.el7
May 11 05:26:34 Updated: libdb-utils.x86_64 5.3.21-24.el7
May 11 05:26:34 Updated: libss.x86_64 1.42.9-11.el7
May 11 05:26:35 Updated: libselinux-utils.x86_64 2.5-12.el7
May 11 05:26:35 Updated: libsepol-devel.x86_64 2.5-8.1.el7
May 11 05:26:35 Updated: libselinux-devel.x86_64 2.5-12.el7
May 11 05:26:45 Installed: kernel-devel.x86_64 3.10.0-862.2.3.el7
May 11 05:26:46 Updated: ca-certificates.noarch 2017.2.20-71.el7
May 11 05:26:46 Updated: krb5-libs.x86_64 1.15.1-19.el7
May 11 05:26:46 Updated: openssl-libs.x86_64 1:1.0.2k-12.el7
May 11 05:26:47 Updated: coreutils.x86_64 8.22-21.el7
May 11 05:26:47 Updated: libpwquality.x86_64 1.2.3-5.el7
May 11 05:26:47 Updated: pam.x86_64 1.1.8-22.el7
May 11 05:26:47 Updated: libblkid.x86_64 2.23.2-52.el7
May 11 05:26:48 Updated: python-libs.x86_64 2.7.5-68.el7
May 11 05:26:48 Updated: python.x86_64 2.7.5-68.el7
May 11 05:26:48 Updated: libmount.x86_64 2.23.2-52.el7
May 11 05:26:49 Updated: glib2.x86_64 2.54.2-2.el7
May 11 05:26:49 Updated: shared-mime-info.x86_64 1.8-4.el7
May 11 05:26:49 Updated: gzip.x86_64 1.5-10.el7
May 11 05:26:49 Updated: centos-release.x86_64 7-5.1804.el7.centos
May 11 05:26:50 Updated: binutils.x86_64 2.27-27.base.el7
May 11 05:26:50 Updated: cyrus-sasl-lib.x86_64 2.1.26-23.el7
May 11 05:26:50 Updated: setup.noarch 2.8.71-9.el7
May 11 05:26:50 Updated: filesystem.x86_64 3.2-25.el7
May 11 05:26:50 Updated: net-snmp-libs.x86_64 1:5.7.2-32.el7
May 11 05:26:51 Updated: cpp.x86_64 4.8.5-28.el7
May 11 05:26:51 Updated: subversion-libs.x86_64 1.7.14-14.el7
May 11 05:26:51 Updated: libselinux-python.x86_64 2.5-12.el7
May 11 05:26:51 Updated: python-slip.noarch 0.4.0-4.el7
May 11 05:26:51 Updated: python-slip-dbus.noarch 0.4.0-4.el7
May 11 05:26:51 Updated: python-firewall.noarch 0.4.4.4-14.el7
May 11 05:26:52 Updated: python-perf.x86_64 3.10.0-862.2.3.el7
May 11 05:26:52 Updated: pytalloc.x86_64 2.1.10-1.el7
May 11 05:26:52 Updated: gdb.x86_64 7.6.1-110.el7
May 11 05:26:58 Updated: linux-firmware.noarch 20180220-62.git6d51311.el7
May 11 05:26:58 Updated: nss.x86_64 3.34.0-4.el7
May 11 05:26:58 Updated: nss-sysinit.x86_64 3.34.0-4.el7
May 11 05:26:59 Updated: nss-tools.x86_64 3.34.0-4.el7
May 11 05:26:59 Updated: libcurl.x86_64 7.29.0-46.el7
May 11 05:26:59 Updated: curl.x86_64 7.29.0-46.el7
May 11 05:26:59 Updated: rpm-libs.x86_64 4.11.3-32.el7
May 11 05:26:59 Updated: rpm.x86_64 4.11.3-32.el7
May 11 05:26:59 Updated: openldap.x86_64 2.4.44-13.el7
May 11 05:26:59 Updated: rpm-build-libs.x86_64 4.11.3-32.el7
May 11 05:26:59 Updated: rpm-python.x86_64 4.11.3-32.el7
May 11 05:26:59 Updated: yum-plugin-fastestmirror.noarch 1.1.31-45.el7
May 11 05:26:59 Updated: yum.noarch 3.4.3-158.el7.centos
May 11 05:26:59 Updated: libnfsidmap.x86_64 0.25-19.el7
May 11 05:26:59 Updated: libuser.x86_64 0.60-9.el7
May 11 05:27:00 Updated: procps-ng.x86_64 3.3.10-17.el7
May 11 05:27:00 Updated: kpartx.x86_64 0.4.9-119.el7
May 11 05:27:00 Updated: device-mapper.x86_64 7:1.02.146-4.el7
May 11 05:27:00 Updated: util-linux.x86_64 2.23.2-52.el7
May 11 05:27:00 Updated: device-mapper-libs.x86_64 7:1.02.146-4.el7
May 11 05:27:00 Updated: cryptsetup-libs.x86_64 1.7.4-4.el7
May 11 05:27:00 Updated: dracut.x86_64 033-535.el7
May 11 05:27:00 Updated: kmod.x86_64 20-21.el7
May 11 05:27:00 Updated: elfutils-libs.x86_64 0.170-4.el7
May 11 05:27:00 Updated: systemd-libs.x86_64 219-57.el7
May 11 05:27:00 Updated: dbus-libs.x86_64 1:1.10.24-7.el7
May 11 05:27:02 Updated: systemd.x86_64 219-57.el7
May 11 05:27:02 Updated: dbus.x86_64 1:1.10.24-7.el7
May 11 05:27:02 Updated: elfutils-default-yama-scope.noarch 0.170-4.el7
May 11 05:27:02 Updated: systemd-sysv.x86_64 219-57.el7
May 11 05:27:03 Updated: initscripts.x86_64 9.49.41-1.el7
May 11 05:27:03 Updated: samba-common.noarch 4.7.1-6.el7
May 11 05:27:03 Updated: avahi-libs.x86_64 0.6.31-19.el7
May 11 05:27:03 Updated: rpcbind.x86_64 0.2.0-44.el7
May 11 05:27:03 Updated: polkit.x86_64 0.112-14.el7
May 11 05:27:03 Updated: cronie-anacron.x86_64 1.4.11-19.el7
May 11 05:27:03 Updated: cronie.x86_64 1.4.11-19.el7
May 11 05:27:04 Updated: hwdata.x86_64 0.252-8.8.el7
May 11 05:27:04 Updated: pciutils.x86_64 3.5.1-3.el7
May 11 05:27:04 Updated: rdma-core.x86_64 15-6.el7
May 11 05:27:04 Updated: libibverbs.x86_64 15-6.el7
May 11 05:27:04 Updated: NetworkManager-libnm.x86_64 1:1.10.2-13.el7
May 11 05:27:04 Updated: dhcp-libs.x86_64 12:4.2.5-68.el7.centos
May 11 05:27:05 Updated: openssh.x86_64 7.4p1-16.el7
May 11 05:27:05 Updated: openssh-clients.x86_64 7.4p1-16.el7
May 11 05:27:05 Updated: policycoreutils.x86_64 2.5-22.el7
May 11 05:27:05 Updated: selinux-policy.noarch 3.13.1-192.el7_5.3
May 11 05:27:05 Updated: dhcp-common.x86_64 12:4.2.5-68.el7.centos
May 11 05:27:05 Updated: librdmacm.x86_64 15-6.el7
May 11 05:27:05 Updated: libpciaccess.x86_64 0.14-1.el7
May 11 05:27:05 Updated: libdrm.x86_64 2.4.83-2.el7
May 11 05:27:05 Updated: cups-libs.x86_64 1:1.6.3-35.el7
May 11 05:27:05 Updated: libwbclient.x86_64 4.7.1-6.el7
May 11 05:27:05 Updated: samba-common-libs.x86_64 4.7.1-6.el7
May 11 05:27:06 Updated: samba-client-libs.x86_64 4.7.1-6.el7
May 11 05:27:06 Updated: samba-libs.x86_64 4.7.1-6.el7
May 11 05:27:06 Updated: samba-common-tools.x86_64 4.7.1-6.el7
May 11 05:27:06 Updated: libsmbclient.x86_64 4.7.1-6.el7
May 11 05:27:06 Updated: wpa_supplicant.x86_64 1:2.6-9.el7
May 11 05:27:07 Updated: NetworkManager.x86_64 1:1.10.2-13.el7
May 11 05:27:07 Updated: OpenIPMI-modalias.x86_64 2.0.23-2.el7
May 11 05:27:07 Updated: rsync.x86_64 3.1.2-4.el7
May 11 05:27:07 Updated: perl-Git.noarch 1.8.3.1-13.el7
May 11 05:27:08 Updated: git.x86_64 1.8.3.1-13.el7
May 11 05:27:08 Updated: ebtables.x86_64 2.0.10-16.el7
May 11 05:27:08 Updated: systemd-devel.x86_64 219-57.el7
May 11 05:27:08 Updated: plymouth-core-libs.x86_64 0.8.9-0.31.20140113.el7.centos
May 11 05:27:08 Updated: plymouth-scripts.x86_64 0.8.9-0.31.20140113.el7.centos
May 11 05:27:08 Updated: plymouth.x86_64 0.8.9-0.31.20140113.el7.centos
May 11 05:27:08 Updated: elfutils.x86_64 0.170-4.el7
May 11 05:27:08 Updated: device-mapper-event-libs.x86_64 7:1.02.146-4.el7
May 11 05:27:08 Updated: virt-what.x86_64 1.18-4.el7
May 11 05:27:08 Updated: redhat-rpm-config.noarch 9.1.0-80.el7.centos
May 11 05:27:08 Updated: net-snmp-agent-libs.x86_64 1:5.7.2-32.el7
May 11 05:27:08 Updated: systemtap-runtime.x86_64 3.2-4.el7
May 11 05:27:08 Updated: logrotate.x86_64 3.8.6-15.el7
May 11 05:27:08 Updated: libpcap.x86_64 14:1.5.3-11.el7
May 11 05:27:08 Updated: libpath_utils.x86_64 0.2.1-29.el7
May 11 05:27:09 Updated: libini_config.x86_64 1.3.1-29.el7
May 11 05:27:09 Updated: gssproxy.x86_64 0.7.0-17.el7
May 11 05:27:09 Updated: libteam.x86_64 1.27-4.el7
May 11 05:27:09 Updated: teamd.x86_64 1.27-4.el7
May 11 05:27:09 Updated: kernel-tools-libs.x86_64 3.10.0-862.2.3.el7
May 11 05:27:09 Updated: quota-nls.noarch 1:4.01-17.el7
May 11 05:27:09 Updated: quota.x86_64 1:4.01-17.el7
May 11 05:27:09 Updated: libreport-filesystem.x86_64 2.1.11-40.el7.centos
May 11 05:27:09 Updated: kernel-headers.x86_64 3.10.0-862.2.3.el7
May 11 05:27:09 Updated: glibc-headers.x86_64 2.17-222.el7
May 11 05:27:10 Updated: glibc-devel.x86_64 2.17-222.el7
May 11 05:27:11 Updated: gcc.x86_64 4.8.5-28.el7
May 11 05:27:11 Updated: systemtap-devel.x86_64 3.2-4.el7
May 11 05:27:12 Updated: systemtap-client.x86_64 3.2-4.el7
May 11 05:27:12 Updated: libquadmath-devel.x86_64 4.8.5-28.el7
May 11 05:27:12 Updated: vim-filesystem.x86_64 2:7.4.160-4.el7
May 11 05:27:13 Updated: vim-common.x86_64 2:7.4.160-4.el7
May 11 05:27:13 Updated: bind-license.noarch 32:9.9.4-61.el7
May 11 05:27:13 Updated: bind-libs-lite.x86_64 32:9.9.4-61.el7
May 11 05:27:13 Updated: dhclient.x86_64 12:4.2.5-68.el7.centos
May 11 05:27:13 Updated: dracut-network.x86_64 033-535.el7
May 11 05:27:13 Updated: kexec-tools.x86_64 2.0.15-13.el7
May 11 05:27:13 Updated: vim-enhanced.x86_64 2:7.4.160-4.el7
May 11 05:27:14 Updated: gcc-gfortran.x86_64 4.8.5-28.el7
May 11 05:27:14 Updated: systemtap.x86_64 3.2-4.el7
May 11 05:27:15 Updated: gcc-c++.x86_64 4.8.5-28.el7
May 11 05:27:15 Updated: mdadm.x86_64 4.0-13.el7
May 11 05:27:16 Updated: nfs-utils.x86_64 1:1.3.0-0.54.el7
May 11 05:27:16 Updated: kernel-tools.x86_64 3.10.0-862.2.3.el7
May 11 05:27:16 Updated: NetworkManager-team.x86_64 1:1.10.2-13.el7
May 11 05:27:16 Updated: tcpdump.x86_64 14:4.9.2-3.el7
May 11 05:27:16 Updated: rsyslog.x86_64 8.24.0-16.el7
May 11 05:27:16 Updated: net-snmp.x86_64 1:5.7.2-32.el7
May 11 05:27:16 Updated: rpm-build.x86_64 4.11.3-32.el7
May 11 05:27:16 Updated: tuned.noarch 2.9.0-1.el7
May 11 05:27:16 Updated: device-mapper-event.x86_64 7:1.02.146-4.el7
May 11 05:27:16 Updated: device-mapper-devel.x86_64 7:1.02.146-4.el7
May 11 05:27:17 Updated: firewalld.noarch 0.4.4.4-14.el7
May 11 05:27:17 Updated: ipmitool.x86_64 1.8.18-7.el7
May 11 05:27:17 Updated: NetworkManager-ppp.x86_64 1:1.10.2-13.el7
May 11 05:27:17 Updated: NetworkManager-tui.x86_64 1:1.10.2-13.el7
May 11 05:27:17 Updated: samba-client.x86_64 4.7.1-6.el7
May 11 05:27:17 Updated: samba.x86_64 4.7.1-6.el7
May 11 05:27:17 Updated: fio.x86_64 3.1-2.el7
May 11 05:27:26 Updated: selinux-policy-targeted.noarch 3.13.1-192.el7_5.3
May 11 05:27:26 Updated: openssh-server.x86_64 7.4p1-16.el7
May 11 05:27:26 Updated: yum-cron.noarch 3.4.3-158.el7.centos
May 11 05:27:26 Updated: avahi-autoipd.x86_64 0.6.31-19.el7
May 11 05:27:29 Installed: kernel.x86_64 3.10.0-862.2.3.el7
May 11 05:27:29 Updated: audit.x86_64 2.8.1-3.el7
May 11 05:27:29 Updated: dnsmasq.x86_64 2.76-5.el7
May 11 05:27:29 Updated: subversion.x86_64 1.7.14-14.el7
May 11 05:27:29 Updated: biosdevname.x86_64 0.7.3-1.el7
May 11 05:27:29 Updated: at.x86_64 3.1.13-23.el7
May 11 05:27:29 Updated: iptables-services.x86_64 1.4.21-24.el7
May 11 05:27:29 Updated: ksh.x86_64 20120801-137.el7
May 11 05:27:29 Updated: irqbalance.x86_64 3:1.0.7-11.el7
May 11 05:27:29 Updated: microcode_ctl.x86_64 2:2.1-29.el7
May 11 05:27:30 Updated: chrony.x86_64 3.2-2.el7
May 11 05:27:30 Updated: libgudev1.x86_64 219-57.el7
May 11 05:27:30 Updated: libusbx.x86_64 1.0.21-1.el7
May 11 05:27:30 Updated: dracut-config-rescue.x86_64 033-535.el7
May 11 05:27:30 Updated: parted.x86_64 3.1-29.el7
May 11 05:27:30 Updated: rpm-sign.x86_64 4.11.3-32.el7
May 11 05:27:30 Updated: sudo.x86_64 1.8.19p2-13.el7
May 11 05:27:30 Updated: mailx.x86_64 12.5-19.el7
May 11 05:27:30 Updated: gsettings-desktop-schemas.x86_64 3.24.1-1.el7
May 11 05:27:30 Updated: libsoup.x86_64 2.56.0-6.el7
May 11 05:27:30 Updated: systemtap-sdt-devel.x86_64 3.2-4.el7
May 11 05:27:30 Updated: xfsprogs.x86_64 4.5.0-15.el7
May 11 05:27:30 Updated: libblkid-devel.x86_64 2.23.2-52.el7
May 11 05:27:31 Updated: e2fsprogs.x86_64 1.42.9-11.el7
May 11 05:27:31 Updated: screen.x86_64 4.1.0-0.25.20120314git3c2946.el7
May 11 05:27:31 Updated: alsa-lib.x86_64 1.1.4.1-2.el7
May 11 05:27:31 Updated: openssl.x86_64 1:1.0.2k-12.el7
May 11 05:27:31 Updated: kmod-devel.x86_64 20-21.el7
May 11 05:27:31 Updated: libattr-devel.x86_64 2.4.46-13.el7
May 11 05:27:31 Updated: libproxy.x86_64 0.4.11-11.el7
May 11 05:27:31 Updated: elfutils-libelf-devel.x86_64 0.170-4.el7
May 11 05:27:31 Updated: libdb-devel.x86_64 5.3.21-24.el7
May 11 05:27:31 Updated: lsof.x86_64 4.87-5.el7
May 11 05:27:31 Updated: iprutils.x86_64 2.4.15.1-1.el7
May 11 05:27:31 Updated: iwl2030-firmware.noarch 18.168.6.1-62.el7
May 11 05:27:31 Updated: iwl7260-firmware.noarch 22.0.7.0-62.el7
May 11 05:27:31 Updated: iwl6050-firmware.noarch 41.28.5.1-62.el7
May 11 05:27:31 Updated: iwl4965-firmware.noarch 228.61.2.24-62.el7
May 11 05:27:32 Updated: iwl7265-firmware.noarch 22.0.7.0-62.el7
May 11 05:27:33 Updated: iwl135-firmware.noarch 18.168.6.1-62.el7
May 11 05:27:33 Updated: iwl3160-firmware.noarch 22.0.7.0-62.el7
May 11 05:27:33 Updated: iwl6000-firmware.noarch 9.221.4.1-62.el7
May 11 05:27:33 Updated: iwl5000-firmware.noarch 8.83.5.1_1-62.el7
May 11 05:27:33 Updated: iwl3945-firmware.noarch 15.32.2.9-62.el7
May 11 05:27:33 Updated: iwl100-firmware.noarch 39.31.5.1-62.el7
May 11 05:27:33 Updated: iwl6000g2b-firmware.noarch 17.168.5.2-62.el7
May 11 05:27:33 Updated: iwl105-firmware.noarch 18.168.6.1-62.el7
May 11 05:27:33 Updated: iwl6000g2a-firmware.noarch 17.168.5.3-62.el7
May 11 05:27:33 Updated: iwl2000-firmware.noarch 18.168.6.1-62.el7
May 11 05:27:33 Updated: iwl1000-firmware.noarch 1:39.31.5.1-62.el7
May 11 05:27:33 Updated: iwl5150-firmware.noarch 8.24.2.2-62.el7
May 11 05:27:33 Updated: libgcc.i686 4.8.5-28.el7
May 11 05:27:33 Updated: nss-softokn-freebl.i686 3.34.0-2.el7
May 11 05:27:34 Updated: glibc.i686 2.17-222.el7
May 11 05:27:34 Updated: libsepol.i686 2.5-8.1.el7
May 11 05:27:34 Updated: libselinux.i686 2.5-12.el7
May 11 05:27:34 Installed: lz4.i686 1.7.5-2.el7
May 11 05:27:34 Updated: audit-libs.i686 2.8.1-3.el7
May 11 05:27:34 Updated: elfutils-libelf.i686 0.170-4.el7
May 11 05:27:35 Updated: elfutils-libs.i686 0.170-4.el7
May 11 05:27:35 Updated: libdb.i686 5.3.21-24.el7
May 11 05:27:35 Updated: pam.i686 1.1.8-22.el7
May 11 05:27:35 Updated: systemd-libs.i686 219-57.el7
May 11 05:27:35 Updated: rdma-core.i686 15-6.el7
May 11 05:27:35 Updated: libstdc++.i686 4.8.5-28.el7
May 11 05:27:35 Updated: libattr.i686 2.4.46-13.el7

While compiling minimap 2 on Centos 7, I got his annoying error :

fatal error: zlib.h: No such file or directory

Missing dependency ! I wish some tool would help out and tell you, what library I was missing, so I could stop making these posts.

As to the solution :

yum install zlib-devel

for debian :

apt-get install libz-dev

 

 

I’m no expert on this, but I had to google everything together so many times, I made a soon-to-be-outdated half-ass guide on how to let users access a samba share on Linux using the windows domain controller “AD” (active directory) or at least how I got it to work. Let me know if it worked out for you or if you hit a brick wall. Perhaps we need to tune the sound a bit ;-).

Dependency’s

They might be needed or not, I have no clue, just install them already.

yum install sssd realmd oddjob oddjob-mkhomedir adcli krb5-workstation openldap-clients policycoreutils-python samba samba-client samba-common samba-common-tools ntpdate ntp

sssd, is a relatively new method of getting the system to talk to the AD server. Samba obviously is needed for creating the windows accessible shares. The last dependency might not be required but its good to make sure if you got issues its not because servers disagree on time/date. Hence, NTP will help set a same date between servers.

Connecting

Or better say lets “join” the dark side of windows. I’m not gone lie, this is pretty ugly, but in Kerbal Space Program’s motto, any landing you can walk away from is called a succes.

First add the domain controller to /etc/hosts this ensures that every connection will go to the right server, irrelevant of DNS, since the hosts file has the highest priority.

# cat /etc/hosts
123.123.123.123 mydomain.at.my.be mydomain

123.123.123.123 should be the IP and mydomain.at.my.be should be the full domain and the last is optional the alias for the domain.

Many guides will also adapt /etc/resolv.conf while I don’t think its needed, we do not take risks here,  resolv.conf is used for looking up the DNS, for this server the domain controller is highly suggested.

# cat /etc/resolv.conf

search my_domain.be
nameserver 123.123.123.123

Adapt as required.

The next step, is making sure the servers have the same time setup, this won’t be an issue for many, but its good practice. Do a ntpdate call to the domain server to get a fix.

# ntpdate domain
4 May 15:47:01 ntpdate[17004]: adjust time server 123.123.123.123 offset 0.015744 sec

Something similar should be shown, after that we can set the service up to take over. If there is a huge difference, perhaps add the domain controller as NTP server. This would be done in /etc/ntp.conf as “server domain iburst“.

systemctl enable ntpd.service
systemctl start ntpd.service

Then finally we are ready to join the domain, this is done using :

realm join --user=domain_admin mydomain

This hopefully, silently ads your computer to the domain (after login), or if it fails it spits errors. After this is silently successful, you will find the realm in the realm list.

# realm list
domain.url
  type: kerberos
  realm-name: DOMAIN.url
  domain-name: DOMAIN.url
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins

note : slightly modified configuration shown.

Configuration

After we got initial connection, its time to setup the configuration, this is done in /etc/sssd/sssd.conf . There are multiple parameters here that can be adapted here. One in particular pops up as having an annoying default set.

use_fully_qualified_names

By default this is set to True, domain users will be identified as “[email protected]” instead of “name“. Set False, to drop the @domain

use_fully_qualified_names = False

In a similar way, home directories have a symbol in the name. While this in itself is harmless it can be annoying in script or tools that can’t deal with these symbols. Perhaps some people have multiple domains, but for me its never the case. So I tend to remove the domain entirely. Alternatively you could do something like /home/domain/user /home/%d/%u . Below I use /home/user, such as native users on Linux system. Change /home/%[email protected]%d to /home/%u

fallback_homedir = /home/%u

After edit(s), reload sssd :

systemctl restart sssd

To verify the connection is functional, you can check a random (non-local) AD user :

# id svennd
uid=1406204049(svennd) gid=1406200519(enterprise admins) groups=1406200519(enterprise admins),1406200513(domain users),1406200512(domain admins),1406204598(bioinf users)

At this point, all AD users should be able login using SSH on the system. (if sshd is running)

Samba

OK, now users can login to the server over ssh, but we want to bring a samba share available; so install samba if you did not do this in the first part. Don’t worry I will wait.

yum install samba samba-client samba-common

Now adapt the configuration mostly to your own wishes; This is how I use mine :

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = DOMAIN # CAPITALS make it work, domain controllers need hearing aids
        security = ads # active domain server
        encrypt passwords = yes
        realm = domain_url # adapt to full domain url

        passdb backend = tdbsam # starting this will replace it for user_id issues

        printing = cups
        printcap name = /dev/null # mute annoying errors
        load printers = no 
        cups options = raw
[data]
        valid users = @"[email protected]_url"
        path = /data
        public = yes # everyone can see it (if you are able to login)
        writable = yes # evereyone can write here (if you are a valid_user)
        guest ok = no

Important parts here are :

workgroup = DOMAIN

Workgroup has to be the domain.

security = ads

Sets the security as “Active Directory Server”, domain won’t work.

realm = domain_url

Full realm, you can find this using realm list

For restriction you can change the valid users using this syntax :

valid users = @"[email protected]_url"

This would only allow users of that group, syntax works for domain groups, local groups just have @devs. Also individual users can be added. Like this :

valid users = @"[email protected]_url" @localgroup svennd alice
Pitfalls & debugging

1. Firewall / Iptables

During debugging shut them down and if everything is resolved put them back up. For the firewalld lovers (default) add samba as allowed ports :

firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

For iptables.

2. SELinux

Ow god this again, yes!!! To check if SELinux is enabled, (yes by default, even on minimal) use sestatus :

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Unless you want to disable selinux, you will require the typical voodoo SELinux talk; For any directory where you set a share you need to run :

chcon -t samba_share_t /dir

If you like to have home directories automatically generated if a domain users authenticates (/etc/samba/smb.conf)

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

You need to run :

semanage fcontext -a -t home_root_t /home
semanage fcontext -a -t user_home_dir_t /home
semanage fcontext -a -t user_home_t /home
restorecon -Rv /home

or some other magic.

After all that, you can start samba :

systemctl enable smb
systemctl enable nmb
systemctl start smb
systemctl start nmb

And that’s it. Kudo’s to all the slightly-out-date tutorials.

addition : (helpfull)

https://access.redhat.com/solutions/2221561

I can’t seem to find apcupsd (a ups monitor, that shutdowns computers, before you run out of ups power) on Centos 6, surprisingly on Centos 7 this package is available from epel, but not so for Centos 6. Here is a condense howto get the source and compile it. (mainly for my personal use)

wget https://kent.dl.sourceforge.net/project/apcupsd/apcupsd%20-%20Stable/3.14.14/apcupsd-3.14.14.tar.gz
tar xvf apcupsd-3.14.14.tar.gz
cd apcupsd-3.14.14
./configure
make
make install

Then follow settings :

Install APCUPSD on Centos 7